HIPAA Security Rule Compliance as a Tool to Mitigate the Risk of Cyber-Related Security Incidents
By Paul J. Welk, PT, JD
For most physical therapy private practice owners, administrators, and staff, making sure that the practice complies with the Health Insurance Portability and Accountability Act (HIPAA) is not at the top of the list in terms of their favorite part of the workday.
That said, HIPAA-covered entities, which include the vast majority of physical therapy private practices, and business associates are required to comply with the HIPAA Privacy and Security rules and to take the time necessary to do so. This article will touch upon one important ancillary benefit of putting in the work to achieve HIPAA compliance — that is, the mitigation of risk when it comes to cyber-related security incidents that could adversely affect the practice.
Everyone reading this article is likely aware of the increase in cyber-related security incidents across all spectrums of industry.1 Healthcare has certainly not been immune to these events, and there are numerous examples of cyber-related security incidents negatively affecting the healthcare industry.2-5 The negative effects of such an incident targeting a physical therapy practice can be substantial, and the author is aware of a number of such incidents that have occurred in physical therapy private practices in recent months, each with significant consequences. These security incidents occur in a variety of different ways, including but not limited to phishing scams (when the bad actor poses as a legitimate business or organization to gain trust and access personal information), malware (which damages, steals information from, or otherwise disrupts a computer system, commonly through unsecured email links and attachments), ransomware (a form of malware that denies a user access to data until a ransom is paid), business email compromise, identity theft, and others.6 While these are known examples, perpetrators of cyber-related attacks are constantly evolving new ways to access data, so physical therapy private practices must remain up-to-date with current trends and related risk mitigation strategies. A physical therapy practice that maintains a robust HIPAA compliance program in and of itself will help to mitigate risk in connection with current trends in cyber-related security incidents. This is due to the fact that such a robust program is not just completing a task on a checklist, but rather involves a process of putting in the work necessary on an ongoing basis to comply with the practice’s legal obligations. By way of specific example, the HIPAA Security Rule requires that a covered entity implement numerous security measures that assist in preventing cyber-related security incidents. These include, but are not limited to, implementing policies and procedures to guard against cyber-related risk, workforce training on how to detect and report cyber security issues, and controlling access to electronic protected health information to only those individuals requiring access.7 The HIPAA Security Rule also requires covered entities and business associates to have in place policies and procedures on how to respond to and report security incidents and to assist in recovering from a cyber-related security incident. For those newer to HIPAA compliance, the HIPAA Security Rule also requires that a covered entity perform a risk assessment of its operations to identify potential threats and implement security measures to mitigate identified risks. As such, the Office of the National Coordinator for Health Information Technology developed a downloadable Security Risk Assessment Tool.8
BEST PRACTICES FOR CYBER-RELATED INCIDENTS
Once a physical therapy private practice has performed the required risk assessment and is establishing appropriate policies and procedures, it is important to give proper attention to policies, procedures, and processes that address how to respond, in a timely fashion, to a cyber-related security incident. As a practical matter, it is very difficult for a practice to appropriately respond to a cyber-related security incident if it has not given adequate consideration to the process prior to the occurrence of an actual incident. As you develop a response plan to a cyber-security incident, you can also take advantage of the opportunity to assess your current insurance coverages and determine what coverage you currently have and whether any changes in coverage may be appropriate.
In the event a physical therapy private practice is in the unfortunate situation of having to respond to a cyber-related security incident, the US Department of Health and Human Services Office for Civil Rights (OCR), the agency responsible for HIPAA enforcement, has a number of very helpful resources.9 These resources detail OCR’s recommendations and requirements related to executing a response and mitigation procedures, reporting the crime to law enforcement and other agencies, and, if applicable, reporting the breach to OCR and affected individuals.
In summary, complying with HIPAA is mandatory for covered entities and business associates. Doing so goes beyond satisfying the practice’s legal obligation — it is also helpful for understanding some of the additional benefits that come along with maintaining HIPAA compliance, which include mitigating the risk of a cyber-related security incident. By following the appropriate steps and proactively considering applicable regulatory and other issues, physical therapy private practices can reduce exposure to a cyber security incident and the numerous adverse consequences, including those to patients and the goodwill and financial position of a practice, that could result from such an incident.
1Federal Bureau of Investigation. “What We Investigate: Cybercrime.” www.fbi.gov/investigate/cyber. Accessed April 14, 2022.
2James L. “Attorney General James Announces $600,000 Agreement with EyeMed After 2020 Data Breach.” https://ag.ny.gov/press-release/2022/attorney-general-james-announces-600000-agreement-eyemed-after-2020-data-breach. Accessed April 7, 2022
3New Jersey Department of Law and Public Safety“In the Matter of RCCA MSO LLC, Regional Cancer Care Associates LLC, and RCCA MD LLC Consent Order.” https://www.nj.gov/oag/newsreleases21/RCCA%20MSO%20LLC%20Consent%20Order.pdf Accessed April 7, 2022
4Planned Parenthood LA. “Ransomware Attack Leaks Health Data of 400,000 Patients.” https://www.zdnet.com/article/planned-parenthood-la-announces-ransomware-incident-healthcare-info-of-400000-patients-leaked/. Accessed April 7, 2022
5Greig J. “Oregon Medical Group Notifies 750,000 Patients of Data Breach. https://www.zdnet.com/article/oregon-medical-group-notifies-patients-of-cybersecurity-breach-says-fbi-seized-hellokitty-accounts/ Accessed April 7, 2022.
6AICH. “Cybercrime Risk and HIPAA Compliance.”. https://aihc-assn.org/cybercrime-risk-and-hipaa-compliance/. Accessed April 7, 2022.
7HHS. “Fact Sheet: Ransomware and HIPAA.” https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html#:~:text=The%20HIPAA%20Security%20Rule%20requires%20covered%20entities%20and,responding%20to%20and%20recovering%20from%20a%20ransomware%20attack.?msclkid=4e1721c1b6c811ecb0459a21e9450fcd. Accessed April 7, 2022.
8HealthIT. “Security Risk Assessment Tool.” www.healthit.gov. Accessed April 7, 2022.
9HHS. “My Entity Just Experienced a Cyber-Attack! What Do We Do Now?” https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf Accessed April 7, 2022.
Paul Welk, PT, JD, is a Private Practice Section member and an attorney with Tucker Arensberg, P.C., where he frequently advises physical therapy private practices in the areas of corporate and healthcare law. Questions and comments can be directed to email@example.com or (412) 594-5536.